[SOLVED]pfsense as openvpn client - issue with port forwarding

Hi guys
My pfsense act as a openvpn client. I have another server elsewhere which is my openvpn server.
My problem is with port forwarding from that server to internal network behind pfsense.

My openvpn server details:
vpn ip: 10.8.0.1
external: 1.1.1.1

psfsense details:
vpn ip: 10.8.0.10
external ip: 2.2.2.2

Now my setup and what works when I try to telnet to the server behind pfsense
10.8.0.1 > telnet to 10.8.0.10 = works
telnet to 2.2.2.2 > nat 10.8.0.10 = works
telnet to 1.1.1.1 > nat 10.8.0.10 is not working

I have all the correct rules (i believe) in iptables on my vpn server, so I have a feeling that I am missing some rule on my pfsense so it can accept connections from my openvpn server when it's accessed via its external IP.

thanks jimp. looks like I've got all that setup already, except that my pfsense is 2.0.2. I looked at the download links on the pfsense download section but I couldn't find any later version than the one I have already, even pfsense dashboard says i'm on the latest.

it looks like this isn't fixing the problem. I have my pfsense upgraded to 2.1 version now.
I have checked the rules and everywhere looks good.
I have a rule allowing traffic on port 32005 for LAN interface, OPT intrface which is the TUN0 as well as on OpenVPN tab, and still nothing.

Would that be iptables on the other end?? Below iptables from my openvpn server on the other end

block bogon networks

block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
antispoof for em0

block anything from private networks on interfaces with the option set

antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
antispoof for em1

make sure the user cannot lock himself out of the webConfigurator or SSH

User-defined rules follow

anchor "userrules/*"
pass in quick on $WAN proto tcp from any to pfSense-External port 80 flags S/SA keep state label "USER_RULE"
pass in quick on $WAN proto tcp from any to any port 22 flags S/SA keep state label "USER_RULE"
pass in quick on $WAN proto tcp from any to any port 32005 flags S/SA keep state label "USER_RULE"
pass in quick on $WAN proto udp from any to pfSense-External port 1194 keep state label "USER_RULE: OpenVPN WAN OpenVPN wizard"
pass in quick on $LAN from 192.168.1.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on $OpenVPN from any to any keep state label "USER_RULE: OpenVPN WAN OpenVPN wizard"
pass in quick on $OpenVPN proto { tcp udp } from any to 192.168.2.12 port 32005 keep state label "USER_RULE: NAT "
pass in quick on $OpenVPN proto { tcp udp } from any to 192.168.2.12 port 34000 keep state label "USER_RULE: NAT "
pass in quick on $RUSSIA proto tcp from any to any port 32005 flags S/SA keep state label "USER_RULE"
pass in quick on $RUSSIA from 192.168.2.1/24 to any keep state label "USER_RULE"
pass in quick on $HOSTKEY reply-to ( ovpnc1 10.8.0.11 ) proto tcp from any to any port 32005 flags S/SA keep state label "USER_RULE"
pass in quick on $HOSTKEY reply-to ( ovpnc1 10.8.0.11 ) from any to any keep state label "USER_RULE"

You can have rules on the OpenVPN tab just make sure they don't match the traffic that would be coming over the assigned interface. Meaning, specify a proper source on the rules for other VPN instances and not just use 'any' or at least make sure that they don't match the same exact traffic as the rules on the assigned interface.

The wizard adds the any/any rule because most people don't want nor need to assign the VPN interface and just want to pass in all traffic from the VPN to their LAN or internal networks.